[buddypress-trac] [BuddyPress Trac] #7948: HTML sanitization for user-generated content in notification emails

buddypress-trac noreply at wordpress.org
Mon Aug 20 18:39:38 UTC 2018

#7948: HTML sanitization for user-generated content in notification emails
 Reporter:  boonebgorges  |      Owner:  (none)
     Type:  enhancement   |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Core          |    Version:
 Severity:  normal        |   Keywords:  2nd-opinion
 [10479] migrated email notifications over to `bp_send_email()`. In the old
 non-HTML system, we stripped all tags from user-provided content before
 assembling the email, because HTML wasn't supported. We maintained this
 convention after the change, and we run content through
 `wp_strip_all_tags()` before passing it to `bp_send_email()`.

 I'm hoping that @djpaul can provide some of the original motivation for
 this. I'm assuming it was mostly because rendering HTML in emails is
 really hard, and it was one more thing to worry about; also, we were
 putting user-provided content into a `blockquote`, which made the problem
 of embedded content even more potentially complex.

 I've implemented `bp_send_email()` integration in a few plugins, and have
 run into problems when I don't strip tags from `usermessage`. HTML
 generally works fine, but there are certain things that can break. Nested
 `blockquotes` cause problem, as do inline images that are wider than 600px
 (the width of the BP email template). Since `bp_send_email()` doesn't do
 any validation or sanitization of `usermessage` - it doesn't need to, for
 core emails - these issues are allowed to bleed through into the email

 I can work around these issues in the plugins, but the issues are likely
 to be shared by any plugin using `bp_send_email()`, so I wanted to gauge
 whether others (especially @djpaul) think it's worth exploring the
 introduction of a few pieces of validation into BP core itself. I was
 thinking of starting by a tool that parses `img` tags and ensures that
 `width` can never be more than `600`. But if others think that this is
 insane to try to handle in BP, we could just add something to the docs
 that explains that `usermessage` is expected to be plaintext, and clients
 are responsible for their own sanitization if they choose to pass HTML.

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/7948>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list